Danish NIS2 Penalties: Up to €10M or 2% of Revenue — and CFCS Can Hold Your Management Personally Liable

The penalty ceilings under Denmark’s NIS2 transposition match the EU directive baseline — up to €10 million or 2% of global annual turnover for essential entities, €7 million or 1.4% for important entities. What sets Denmark apart from almost every other EU member state is what happens after a violation is confirmed: Danish supervisory authorities cannot issue administrative fines. Sanctions move through the criminal justice system. A sector authority files a police report, the prosecution service decides whether to bring charges, and a court sets the final amount [6].

This enforcement structure reshapes how organisations should assess their NIS2 risk exposure. The escalation threshold is higher than in Belgium or Germany, where regulators impose fines directly. Minor procedural gaps are unlikely to reach a courtroom in Denmark. But for entities that ignore binding supervisory orders — or whose non-compliance contributes to a significant breach — the outcome is a criminal court proceeding rather than an administrative appeal.

Three other features of Denmark’s framework rarely appear in generic compliance guides: a sector-authority split routing energy entities to Energistyrelsen under Act No. 258/2025, financial entities to Finanstilsynet under DORA, and most others to SAMSIK (formerly the Centre for Cybersecurity, now the Agency for Societal Security); a management personal liability standard limited to gross negligence or intent; and a multi-statute model covering the general, energy, and telecom sectors through three separate laws. This guide maps the full fine structure, the criminal enforcement path, how each sector authority operates, and what your board needs documented before supervisory auditors arrive.

Who Is in Scope: Denmark’s NIS2 Entity Thresholds

The Danish NIS2 Act — formally the Law on Measures to Ensure a High Level of Cybersecurity (Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau), known as Cybersikkerhedsloven — entered force on 1 July 2025, roughly eight months after the EU’s 17 October 2024 transposition deadline. The European Commission issued a reasoned opinion on 7 May 2025 under infringement proceedings for late transposition. Supervisory audits have been underway since January 2026 [3].

Denmark adopted a multi-statute model rather than a single transposition law. Three separate acts govern different industries:

• General NIS2 Act — applies across 18 sectors for entities not covered by a sector-specific law
• Act on Security and Preparedness in the Energy Sector (Act No. 258 of 6 March 2025) — in force from 7 March 2025, predating the general Act by nearly four months
• Act on Security and Preparedness in the Telecommunications Sector (Act No. 435 of 1 July 2025) — in force from 1 July 2025

Essential and Important entity classifications for the general NIS2 Act follow the EU directive’s standard framework:

Danish designation	Size threshold	Fine ceiling	Supervisory approach
Væsentlig enhed (VE — Essential entity)	≥250 employees OR turnover >€50M AND balance sheet >€43M	€10M or 2% global turnover	Ex ante (proactive) audits
Vigtig enhed (VI — Important entity)	≥50 employees OR turnover >€10M AND balance sheet >€10M	€7M or 1.4% global turnover	Ex post (triggered) supervision
Myndighed (Public sector body)	N/A	No monetary fine	Corrective directives only

Size thresholds do not apply to certain digital infrastructure providers. DNS resolver operators, TLD administrators, cloud computing providers, data centre operators, content delivery network providers, and trust service providers fall in scope regardless of employee count or revenue. Entities operating in energy or telecom fall under the relevant sector-specific law rather than the general Act — statutory carve-outs prevent double regulation.

Mandatory self-registration via virk.dk was required by 1 October 2025. Entities across all three applicable laws must have registered by this date to be considered compliant with the notification obligation [3].

The Fine Ceiling: €10 Million for Essential Entities, €7 Million for Important Ones

NIS2 Directive Article 34 sets the minimum fine ceilings member states must implement. For violations of Article 21 (security requirements) or Article 23 (incident reporting): essential entities face a maximum of at least €10,000,000 or 2% of total worldwide annual turnover, whichever is higher; important entities face at least €7,000,000 or 1.4% of global annual turnover, whichever is higher. Denmark adopted these ceilings without extension or minimum thresholds [1].

The “whichever is higher” formula means the percentage-based calculation only bites for the largest organisations. For an essential entity with €200M global revenue, 2% equals €4M — well below the €10M fixed ceiling. At exactly €500M global turnover, 2% equals €10M. Above €500M, the percentage becomes the binding constraint. For the majority of Danish mid-market organisations below that threshold, the fixed ceiling applies regardless of actual revenue size.

Denmark imposes no minimum fine. Some EU member states — Belgium under the CCB enforcement framework, Germany under the BSIG — have established minimum thresholds for specific violations. Danish authorities have full discretion to calibrate sanctions to severity and proportionality, which in practice means minor first-time procedural gaps are unlikely to attract the maximum penalty [4].

Beyond the headline fine, the full enforcement toolkit available under Danish law and the NIS2 Directive’s Articles 32 and 33 includes [2]:

• Daily penalty payments (løbende bøde) to compel compliance with a binding order that is being ignored
• Public disclosure of the infringement — naming the organisation and describing the nature of the violation
• Temporary suspension of relevant certifications or authorisations held by the entity
• Temporary prohibition on a named individual from exercising management functions, activated through court proceedings

Denmark’s Enforcement Path: Fines Via Criminal Prosecution, Not Administrative Decision

Most EU member states give their NIS2 supervisory authorities the power to issue administrative fines directly: the regulator investigates, issues a decision, and the entity pays or appeals. Denmark chose a structurally different path.

In Denmark, supervisory authorities cannot impose administrative fines. When a sector authority identifies a material compliance failure, the escalation route is a police report (politianmeldelse). The prosecution service (Statsadvokaten) then decides whether to bring charges. If proceedings go ahead, a court determines both whether a violation occurred and what fine applies — using the NIS2 Directive’s fine levels as the sentencing reference [6]. Article 34(5) of the directive explicitly anticipates this arrangement, permitting member states without administrative fine mechanisms to route sanctions through courts instead.

This matters for how organisations assess their actual compliance risk:

• Longer timeline — criminal proceedings take months to years; an administrative fine decision in Belgium or Germany takes weeks to months
• Higher escalation threshold — prosecution services weigh public interest and proportionality before charging; procedural gaps without material harm are unlikely to reach court
• Higher evidentiary standard — criminal proceedings require proof beyond reasonable doubt, a higher bar than the administrative standard used in most EU enforcement contexts
• Criminal record consequence — a conviction differs in legal and reputational terms from an administrative fine, particularly for regulated entities and their officers

The criminal prosecution route is an escalation path, not the primary supervisory tool. Sector authorities deploy their full supervisory measures toolkit — binding remediation orders, information requests, on-site inspections, security audits — without involving the police. Criminal referral is reserved for entities that ignore binding orders, cause material harm through negligence, or demonstrate wilful non-compliance [4].

For compliance planning, the Danish model suggests a different risk gradient than in administrative-fine jurisdictions: the probability of a maximum-penalty outcome for a first-time procedural gap is lower, but when escalation does occur, the entity faces criminal court proceedings. The practical priority is unambiguous: respond substantively to every supervisory order. Ignoring a binding remediation directive is the scenario most likely to trigger a police report.

SAMSIK Supervisory Powers: What Sector Authorities Can Actually Require

The Centre for Cybersecurity (CFCS) was reorganised in 2025 into Styrelsen for Samfundssikkerhed og Beredskab (SAMSIK — the Agency for Societal Security). SAMSIK functions as national incident coordinator and EU point of contact for NIS2 purposes, and is the sector-responsible authority for internet exchange point providers, public electronic communications network providers, and publicly available electronic communications service providers [3].

Under the Danish NIS2 framework, supervisory powers differ by entity classification, implementing Articles 32 and 33 of the directive [2]:

Essential entities (ex ante supervision): Sector authorities conduct proactive supervisory activities including:

• Targeted and random on-site and off-site inspections carried out by trained professionals
• Independent security audits ordered by the authority based on risk assessment criteria
• Security scans using objective, non-discriminatory technical criteria
• Information requests on cybersecurity risk-management policies and procedures
• Access to data, documentation, and implementation evidence — auditor reports, penetration test results, vulnerability assessment outputs

Important entities (ex post supervision): Identical powers, but triggered by an alleged violation, reported incident, or specific complaint — not as part of a standing audit programme. Important entities are not subject to routine proactive inspections in the same way as essential entities.

Incident reporting obligations run through virk.dk and SAMSIK’s reporting portal on the following schedule [3]:

• 24-hour early warning — initial notification upon becoming aware that a significant incident has occurred
• 72-hour technical notification — detailed report with initial impact and severity assessment
• 30-day closure report — root-cause analysis, remediation steps, and cross-border impact assessment if applicable

Failing any notification window is a separate compliance failure — distinct from the underlying security incident and subject to enforcement on its own.

The Sector Split: Energistyrelsen, Finanstilsynet, and the DORA Carve-Out

Denmark’s multi-statute model means your sector determines which authority supervises you — and potentially which law governs your obligations. The general NIS2 Act does not apply to entities governed by a sector-specific law for activities within that sector’s scope.

Energy sector — Energistyrelsen (Danish Energy Agency)

Act No. 258 of 6 March 2025 (Act on Security and Preparedness in the Energy Sector) entered force on 7 March 2025 — more than three months before the general NIS2 Act. Energistyrelsen is the competent authority for electricity generators, transmission and distribution operators, gas network operators, and district heating providers. The Act is supplemented by at least three Ministerial Orders covering organisational resilience, physical security, cybersecurity, personnel approvals, incident reporting, and supply chain security [8]. Energy operators that qualify as essential or important entities under the energy-sector thresholds register with and report to Energistyrelsen — not SAMSIK. The same penalty ceilings (€10M/2% for essential, €7M/1.4% for important) and the criminal prosecution enforcement model apply equally.

Financial sector — Finanstilsynet and the DORA lex specialis

Danish banking and financial services entities face a complexity absent in most other sectors: the Digital Operational Resilience Act (DORA, Regulation EU 2022/2554) applies as lex specialis, displacing NIS2’s Article 21 risk-management and Article 23 incident-reporting obligations for covered financial entities. DORA has applied from 17 January 2025.

Finanstilsynet (the Danish Financial Supervisory Authority) is the competent authority for DORA compliance in Denmark. Under DORA, financial entities face a different fine structure: up to €10 million or 5% of total annual turnover for serious breaches, higher than NIS2’s 2% ceiling. Finanstilsynet also receives major ICT incident reports and significant cyber threat notifications from financial institutions, rather than SAMSIK handling that function [7].

The practical rule for Danish financial entities: DORA governs ICT risk management and incident reporting; the general NIS2 Act still applies for scope determination and CSIRT coordination. Entities covered by DORA include credit institutions, payment institutions, investment firms, insurance companies, crypto-asset service providers, and critical ICT third-party service providers [7].

Telecommunications

Act No. 435 of 1 July 2025 governs telecommunications providers under a sector-specific regulator separate from both SAMSIK and Energistyrelsen.

Digital infrastructure and all other sectors

The Danish Agency for Digital Government (Digitaliseringsstyrelsen) is the sector-responsible authority for DNS resolver operators, TLD administrators, cloud computing service providers, data centre operators, CDN providers, and trust service providers. All other Annex I and Annex II sector entities fall under the general NIS2 Act with SAMSIK as the coordinating authority.

Management Personal Liability: Gross Negligence, the Companies Act Amendment, and Director Bans

NIS2 Directive Article 20 requires management bodies to approve cybersecurity risk-management measures, oversee their implementation, and undergo regular cybersecurity training. Article 32 grants supervisory authorities the power to seek a temporary prohibition on named individuals from exercising management functions in cases of serious non-compliance. Denmark transposed both obligations — but with a key limitation that distinguishes the Danish framework from several other EU implementations.

Under the Danish transposition, personal charges against individual board members or senior executives for NIS2 violations will only be brought when the person acted with gross negligence or intent — a higher personal liability threshold than in some EU member states [6]. A compliance officer who missed a reporting deadline through administrative oversight faces corporate liability, not personal prosecution. A board member who received a formal regulatory warning about a known critical vulnerability, took no action, and a material breach subsequently occurred faces criminal exposure under the gross negligence standard.

The Companies Act amendment separately requires boards to complete three obligations that are verifiable and auditable:

1. Formally approve the organisation’s cybersecurity risk-management programme — documented in board minutes [5]
2. Maintain documented evidence of their oversight activities, available to supervisory authorities on request
3. Complete cybersecurity training at board level, with evidence available to supervisory authorities

These governance obligations are independent of the criminal liability threshold. Even where personal prosecution is unlikely for ordinary compliance gaps, the audit question is direct: does the board minute approving the cybersecurity programme exist? Missing that document is an immediate supervisory finding — and evidence of gross negligence in any subsequent proceedings involving a breach.

The director-ban mechanism — temporary prohibition from holding management positions — is available in Denmark as a criminal sentencing option. Unlike Belgium, where the CCB can petition a court directly for a management suspension as a civil enforcement measure, in Denmark the mechanism only activates through criminal court proceedings. The practical likelihood of a director ban is tied to the same escalation threshold as the criminal fine: serious, repeated, or intentional non-compliance [6].

What Danish Organisations Need to Document Before Supervisory Audits

Supervisory audits began in January 2026. For essential entities — subject to proactive ex ante supervision — auditors request documentation across the Article 21(2) security domains from initial contact. Two structural checkpoints specific to Denmark receive particular attention.

Board-level approval records are the first governance checkpoint. The Companies Act amendment makes formal board sign-off on the cybersecurity programme a legal requirement — not optional documentation. An entity that cannot produce board minutes showing approval of its risk-management programme has a compliance gap that is independent of whatever technical controls are in place.

Correct sector registration is the second checkpoint. Entities operating across sectors — a financial group with energy subsidiaries, for example — must confirm which law governs each business unit and register with the correct authority. Registering with SAMSIK when Energistyrelsen is the correct authority constitutes misregistration and is itself a compliance failure [4].

The documentation baseline Danish organisations should have available before an audit:

Document	Article 21(2) domain	Board sign-off required
Cybersecurity risk-management policy (approved by management body)	(a) Risk analysis and information security policies	Yes
Incident response procedure — with 24h/72h/30d notification workflows	(b) Incident handling + Art. 23 reporting	Yes
Business continuity and disaster recovery plan	(c) Business continuity	Yes
Supply chain security policy	(d) Supply chain and third-party security	Yes
Vulnerability and patch management policy	(e) System acquisition and maintenance	Yes
Board cybersecurity training records	Art. 20 management body obligation	N/A — evidence of completion
NIS2 registration confirmation (virk.dk)	Danish NIS2 Act registration obligation	N/A
Sector registration confirmation (energy/telecom/finance)	Act No. 258 / Act No. 435 / DORA as applicable	N/A

Frequently Asked Questions

Is Denmark’s NIS2 Act fully in force?

Yes. The Act entered force on 1 July 2025. Entity self-registration via virk.dk was required by 1 October 2025. Supervisory audits began in January 2026. Denmark missed the EU’s 17 October 2024 transposition deadline and received an EC reasoned opinion in May 2025, but the law is fully active [3].

Can Danish regulators issue NIS2 administrative fines directly?

No. Unlike most EU member states, Denmark routes NIS2 sanctions through the criminal justice system. A sector authority files a police report; the prosecution service decides whether to bring charges; a court sets the fine amount, using the directive’s penalty levels as the reference [6].

Which authority supervises NIS2 compliance for my organisation?

It depends on your sector. SAMSIK (formerly CFCS) coordinates nationally and supervises internet exchange points and electronic communications providers. Energistyrelsen supervises energy entities under Act No. 258/2025. Finanstilsynet supervises financial entities primarily under DORA. Digitaliseringsstyrelsen covers digital infrastructure providers. Most other sectors fall under the general NIS2 Act with SAMSIK as coordinator [3].

Are Danish board members personally liable for NIS2 non-compliance?

Personal criminal charges against individual executives or board members require proof of gross negligence or intent — a higher standard than in some EU member states. Corporate liability applies more broadly. The Companies Act amendment imposes a separate governance obligation on boards (formal programme approval, documented oversight, cybersecurity training) that applies regardless of whether personal prosecution is likely [6].

How does DORA interact with NIS2 for Danish financial entities?

DORA applies as lex specialis for covered financial entities, displacing NIS2’s Article 21 and Article 23 obligations. Finanstilsynet is the primary supervisor; DORA fine ceilings reach €10M or 5% of annual turnover. The general NIS2 Act still governs scope determination and CSIRT registration [7].

Does Denmark’s NIS2 law apply to public sector bodies?

Yes, public sector bodies (myndigheder) are in scope — they must meet the security and incident-reporting obligations. However, monetary fines do not apply to the public sector. Enforcement takes the form of corrective directives and binding remediation orders [4].

Sources

1. European Union. NIS2 Directive (EU) 2022/2555, Article 34 — Administrative fines for essential and important entities. eur-lex.europa.eu
2. NIS2 Directive (EU) 2022/2555, Article 33 — Supervisory and enforcement measures for important entities. nis2resources.eu
3. Danish Agency for Digital Government (Digitaliseringsstyrelsen). “What is NIS 2?” — official Danish NIS2 guidance and registration information. en.digst.dk
4. Copla. “NIS2 directive regulations and implementation in Denmark” (2025). copla.com
5. Cyberday. “What is Cybersikkerhedsloven? Introduction to Danish NIS2” (2025). cyberday.ai
6. International Comparative Legal Guides (ICLG). “Cybersecurity Laws and Regulations Report 2026: Denmark.” iclg.com
7. Mazanti Andersen Korsø Jensen. “The Danish implementation of a framework for supervision of the financial sector under the DORA Regulation and NIS2 Directive.” mazantipulse.com
8. nis-2-directive.com. “NIS2 Directive | Transposition in Denmark.” nis-2-directive.com

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.